Sapin 2 Law: Anti-Corruption Compliance Obligations for Companies

The Law of 9 December 2016 on transparency, anti-corruption measures, and the modernization of economic life, known as "Sapin 2," marked a break in French corruption-prevention law. Seven years after it came into force, its application is now well established and its sanctions are real.

TL;DR

• Article 17 imposes eight preventive measures on large companies.
• The Agence française anticorruption (AFA) oversees their implementation.
• Non-compliance triggers an order, then a fine of up to one million euros for the legal entity.
• The CJIP (convention judiciaire d'intérêt public, a French form of deferred prosecution agreement), introduced by the same law, has transformed the criminal handling of corruption.

Companies in Scope

Article 17 of the Sapin 2 Law applies to companies meeting two cumulative criteria:

• at least 500 employees;
• consolidated revenue exceeding 100 million euros.

Parent companies must ensure compliance throughout their subsidiaries. The thresholds are assessed at group level.

Beyond these thresholds, many mid-sized companies voluntarily implement compliance programs, particularly when they work with large clients subject to Sapin 2 or with US partners subject to the FCPA.

The Eight Obligations Under Article 17

1. The Code of Conduct

The central document: it describes prohibited and permitted conduct. It must be appended to the company's internal regulations. Its drafting must be clear, accessible, and adapted to the company's culture.

2. The Internal Whistleblowing Mechanism

Consistent with the Law of 9 December 2016 and the European Directive of 23 October 2019 (transposed by the Waserman Law of 21 March 2022), it must guarantee:

• the confidentiality of whistleblowers;
• protection against retaliation;
• effective handling of reports.

3. The Risk Map

"The risk map is the cornerstone of the entire program. A superficial map empties the program of its substance. A rigorous map allows resources to be prioritized on the areas of genuine exposure."

It identifies the corruption risks to which the company is exposed based on its activities, geographic footprint, and counterparties. It is regularly updated.

4. Third-Party Due Diligence Procedures

The company must assess the situation of its clients, first-tier suppliers, and intermediaries against the risk map. This is the application of the anti-corruption due diligence principle.

5. Accounting Control Procedures

Both internal and external, they aim to prevent the recording of transactions that could conceal acts of corruption.

6. The Training Program

Aimed at managers and exposed personnel. It must be documented and regularly updated.

7. The Disciplinary Regime

Sanctioning violations of the code of conduct. It must be effective and proportionate.

8. The Internal Control and Evaluation System

Regular audits verify the effectiveness of the program. The findings feed continuous improvement.

The Role of the AFA

The AFA is the supervisory authority. It may:

• conduct on-site and desk reviews;
• issue recommendations;
• issue formal warnings;
• refer cases to the sanctions committee in the event of persistent non-compliance.

The independent sanctions committee may impose:

• compliance orders;
• financial penalties of up to 200,000 euros for individuals and 1 million euros for legal entities;
• publication of the decision (a particularly deterrent sanction).

The Criminal Dimension: the CJIP

The Sapin 2 Law introduced the convention judiciaire d'intérêt public (CJIP, broadly equivalent to a deferred prosecution agreement), allowing a legal entity charged with corruption to reach a settlement with the prosecutor without any admission of guilt.

This procedure has profoundly changed the criminal landscape of corruption. It allows the company to:

• avoid trial and a conviction;
• cap the financial penalty at 30% of average three-year revenue;
• implement a compliance program under AFA supervision;
• preserve its contractual capacity (notably for public procurement).

Several landmark CJIPs have been concluded: Societe Generale (2018), Carmignac Gestion (2019), Bollore (2021), Bouygues TP (2024). They have set transactional standards that now structure the practice.

Stakes for Executives

The personal liability of executives is engaged on several levels:

1. For the implementation of the program. A deficient program may constitute personal misconduct.
2. For individual acts. The CJIP extinguishes public prosecution only against the legal entity. Executives remain individually prosecuted.
3. For personal consequences. A conviction may result in a ban from practicing, ineligibility for public office, and significant additional sanctions.

Defending executives requires a strategy coordinated with that of the company, in a context where interests may diverge.

Common Pitfalls

The Cosmetic Program

Purely formal programs that are not operational in practice are particularly exposed. The AFA and the prosecutor look for genuine effectiveness, not appearances.

The Static Risk Map

A risk map that is not updated loses all operational value. The dynamic nature of the program is a key criterion.

The Absence of Dedicated Governance

The program must have an identified owner, a dedicated budget, and direct access to senior management. Disconnection between compliance and top management is a red flag.

Outsourcing Controls Without Oversight

Outsourcing due diligence without genuine internal control does not exempt the company from liability. Gaps in the third-party chain remain attributable to the company.

In Summary

The Sapin 2 Law has made corruption prevention an enhanced best-efforts obligation. For companies in scope, the challenge is no longer formal compliance but having a program that is genuinely operational.

The firm assists companies in designing, evaluating, and defending their compliance programs, and in managing AFA reviews and criminal proceedings.